Site Meter

BlogCommunities

Software security is a highly technical and vital skill in today's evolving technological marketplace. Even so, programs specializing in this area are quite rare. In fact, it's more common to find a professional in this field with a Bachelor's or Master's degree in computer science, than it is to find experts who have achieved a certification in software security.

Software Security Degrees Are on the Rise

More institutions are providing programs and degrees focused on the security aspect of information technology than ever before. Part of the reason for this is the significant projected increase in the number of jobs available in the field. In fact, the Bureau of Labor Statistics estimates the industry will grow by 36%.

The growing technology and ever-expanding number of applications are a significant contributing factor. As new technology appears and grows, so does the risk of system vulnerabilities and the need for specialists to mitigate and protect against them using penetration testing tools and other preventative procedures. .

What to Expect in a Software Security Degree Program

If you're interested in a software security degree program, you'll find a healthy interest in technology and solving intricate problems will help a lot. By the time you've received your degree, however, you'll have a detailed understanding of the challenges involved in securing network and computer systems, and be able to use technological tools and protocols to minimize risks. You'll feel confident knowing you can restore various systems after an attack and be comfortable providing security for mobile and software management.

You'll have the basics in software engineering, telecommunication network fundamentals and have the option to include additional classes such as business management and managerial economics. Just because this program focuses on software security, doesn't mean there's no variety.

Some programs such as the Master of Science in Information Technology – Information Security designation (MSIT-IS degree program) from INI Pittsburgh-Silicon Valley offers focuses in Mobility, Information Security, or Software Management. You're not confined to standard classroom learning either. Some programs offer an internship while many classes are available online, which is perfect for students who may otherwise be unable to take this kind of program.

Certifications in this area can be attained in as little as two years, although the education can take up to four. Most potential employers will consider applicants who combine a degree with practical experience, and this is where internships can make a significant difference.

Where Can You Work With a Software Security Degree?

The job titles currently available to those with a software security degree can include information technology specialist, data security administrator and computer security specialist, among others. Applications can involve the health care industry, financial businesses, or any business that requires any sort of computer program to function. This leaves the field wide open to those who wish to specialize in this fast-growing career choice. The money isn't bad either; annual salary starts at an average of $50K per year and goes up from there.

With the need for software security experts on the rise, and everyone getting online, you can still work in almost any industry. Combine you degree with other interests, and you may just find the career you've always dreamed of.

This is a guest post by Fergal Glynn. Fergal is the director of product marketing and a frequent writer for Veracode. The Veracode platform helps websites of all kinds avoid cross site scripting vulnerabilities. Fergal has spent the last decade working primarily in online security and software development

In 2008 we published an article on cloud computing, which basically said, don't turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article - since Shortinfosec was and is hosted in the cloud. After three years, and a lot of additional examples of cloud development, it is time for a serious reconsideration:

Our original argument was that the confidentiality, availability and integrity triad was unsustainable in the cloud world at the time (2008). Today, things are looking different:

Backup storage is humming in the cloud in some form or another - and is being used by enterprises

At least 3 different vendors of banking software are collaborating with cloud services providers to enable the cloud operation of their software (Tieto, Misys, Temenos)

E-mail and office applications are happily running in the cloud (Google, Microsoft)

Web applications are more available then ever

Since this article will become too long if we discuss all possible cloud applications, let's start with the simplest one - Web hosting.

From it's inception, web hosting was in a sense hosted in the cloud - but a very simple cloud. Very few people or even companies own and operate web servers, and others host their web sites on provider servers throughout the world.But hosting is not exactly the cloud. The cloud offers so much more for web hosting.

Now, this is not the time to start thinking: "I'm thinking of upgrading my web host and I've been checking some web hosting reviews. It's pretty hard to decide which host especially when reading the editorial and user reviews since all of them have good reviews." Let's go on and choose the most expensive one."

When reviewing moving the web to cloud, understand the strengths and weaknesses of the cloud:

Strengths

Availablity - any cloud service is distributed over multiple servers, datacenters and sites. And the cloud systems can transfer the hosted applications/sites near-instantly between this infrastructure. So even if a server fails, your availability will be nearly unharmed.

Coping with large load variations -again, since there are multiple servers and datacenters, if your application/site suddenly become very popular, the cloud infrastructure won't fall to it's knees under the load ofadditional requests.

Timely and consistent updates - the underlying servers of the cloud infrastructure need to be fully consistent with each other. Also, since they are running many customers applications/sites, a failure due to a patch is not something the cloud service will accept. So you can rely on the fact that all servers will be very quickly and consistently updated.

Extremely fast scaling out - If your application/site has a sustained high visit rate, it needs more servers to run on. This is very easy to implement in a multi-server, multi-site environment of a cloud service.

Weaknesses

Custom platform - each cloud service provider designs the cloud service environment with it's specifics, like underlying operating system, databases, application server and development platform. These are fixed across the entire cloud platform, and if you wish your application/site to run on the cloud service, you must make it work with the cloud service.

Lock in - once you have adjusted the entire application/site to run on the cloud service environment, it may be difficult to move it to another cloud service provider - since then you'll need to re-adjust everything to run on the new cloud service. This is even more difficult if the application/site was developed from scratch with specific cloud service in mind.

Isolation breach - your application/service is not the only one running on the cloud service systems. A breach between the isolation controls of different applications/customers can cause access to proprietary data, use of other party's resources and in general a very large amount of grief for everyone involved. At the least, you could be billed for resources that another application in your context due to such breach

Data protection - placing your application/site in the cloud also puts it's data in the cloud. And this data is very important to you, and sometimes very confidential in nature. Since all this data is managed by the service provider, incidents of data loss, data leaks and security breaches can all happen.

Cost - the cloud service providers have a lot of innovative pricing mechanisms, like pricing per I/O, or per CPU used, or bandwidth, or any combination of those. So while efficiency and availability will definetly increase, so may the costs of your hosting.

The cloud is very ripe for web services. But before you choose one, be careful to do a serious consideration on your pros and cons. If you can match your application/site to a cloud service, you can bring it to a new level of efficient operation.

Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria

Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks

Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.

Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost

The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

Take an ordinary envelope.

Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides.

Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape.

Put the password envelopes inside the tamper-evident envelope

Seal the envelope, and have the manager sign the edge where the envelope is sealed

Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures

The end result can be seen on the following image.

Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible. If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation)

This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts. Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Computer hackers and cyber-terrorists can wreak havoc on information systems (IS). Because of this looming threat, the demand for cyber-security specialists – and information security training – is on the rise.

Trained and certified IS security professionals are needed to combat these threats and vulnerabilities, which can be incredibly costly to organizations. In fact, a Reuters special report noted that the market that the IS security market is estimated to be between $80 billion and $140 billion a year worldwide.

IS Security Opportunities

Industry experts suggest that that there is a tremendous need for IS security specialists in both the commercial sector and government. National Public Radio (NPR) recently interviewed James Gosler, a veteran cyber-security specialist who has worked at the CIA, National Security Agency and Energy Department.

Gosler estimated that there are only about 1,000 people in the United States that have the necessary skills to tackle the most challenging IS security tasks – but noted that some 20,000 to 30,000 highly trained security professionals are needed to meet the needs of corporations and government agencies. The U.S. Bureau of Labor Statistics (BLS) projects that employment in this field will grow much faster than the average for all occupations, with an increase of 20% or more between 2008 and 2018.

Career Options, Salaries and Job Duties

If you’re considering a career in IS security, you’ll find job openings in a variety of related areas. Security specialists may be found in each of the following BLS occupational groups, and often enjoy salaries in excess of $100,000 per year:*

Computer Specialists: $41,680 – $115,050

Database Administrators: $40,780 – $114,200

Computer Systems Analysts: $47,130 – $119,170

Network Systems and Data Communications Analysts: $42,880 – $116,120

Computer and Information Systems Managers: $69,900 – $166,400

IS security specialists with industry certification typically earn salaries at the higher end of the range. For example, a 2009 salary survey Certification Magazine found that professionals with the Certified Information Systems Security Professional (CISSP®) credential earned an average annual salary of $108,630.

As an IS security professional, your work might involve encrypting data transmissions, implementing firewalls and developing a formal strategy to protect computer files from unauthorized access. You may also be charged with policing violations of security procedures, and taking corrective or punitive measures.

Other duties include controlling, granting or restricting access to files as required by user; tracking and proactively addressing potential computer virus threats; and performing risk assessments and tests to ensure that security protocols are functioning as intended.

Education and Training

Most IS security jobs require at least a bachelor’s degree in a field such as computer information systems, information technology or engineering. Experience in software or computer hardware design is also beneficial. Candidates with specialized information security training will enjoy the best prospects.

To help meet the demand for government IS security personnel, the Department of Justice sponsors the Federal Cyber Corps Program. College juniors or first-year graduate students who are pursuing a relevant degree and planning on a career in the IS security field are eligible to apply.

Participants receive a monthly stipend of about $1,000 plus tuition, room and board, and travel to conferences. In return, students are expected to complete a summer internship with a federal agency.

Working professionals can pursue information security training through continuing education programs. Online security training is a great way to develop the knowledge and skills required to practice in this specialized field.

Some online security training programs even prepare participants to earn salary-boosting certifications, such as the CISSP®, SSCP® and CAP® designations from (ISC)2® and the CompTIA Security+™ certification.

Do you think you have what it takes to succeed in this challenging field? Employers and government agencies are actively seeking cyber warriors to safeguard critical information infrastructures against security threats. With a computer-related degree and relevant information systems security training, you’ll find yourself in high demand for rewarding, high-paying IS security jobs.

This is a guest post by Claudia Vandermilt. Claudia works in conjunction with Villanova University and University Alliance to promote professional training materials. She’s currently taking Advanced Information Assurance and Security and looks for exciting security news in her daily RSS.

Having an antivirus software is a gold standard in the Windows world. But what if you are using a Mac? The prevailing opinion is that there aren't enough viruses or malware in the wild to merit having an antivirus.

But in reality, while very few will name 5 viruses for Mac off the top of their heads, Mac has a lot of issues. For instance, Safari does not have a stellar reputation on security. In March of 2011, at CanSecWest, a Mac with Safari fell victim to a security exploit in under 10 seconds.

Also, social engineering attacks can be easily used to con the user into running malware code on their Mac. So having an antivirus and antimalware package on your Mac is a very wise choice.

But this brings us to another problem: What antivirus software packages have a Mac version. As of June 2011, Wikipedia lists that only 16 out of 62 antivirus software packages support the Mac. In a very interesting marketing move, some antivirus manufacturers actually offer free use of antivirus packages for Mac. Norton has another very interesting combination product - one that runs on the native MacOS and another that runs on the Windows environment available through BootCamp.

The policy of implementing an antivirus on Mac is a very wise choice for corporate environments. If a corporate environment is just starting to adopt the Mac platform, one can start 'light' with the free antivirus packages. These are not manageable through a central console, so you will soon be looking for a corporate antivirus platform that includes Mac antivirus software. But while you are using a couple of Macs, the free stuff will help immensely.

A server is essentially a computer that does not do anything else but supply and store information for other computers. You could be using one of your computers as a server in your office, for example.

This computer would then be called a server and supplies information (even software applications) and data to other computers, which basically become user terminals. If you have an e-commerce site, or you have a lot of important information that you want to keep safe and secure, you should be looking at the best dedicated servers provider in your country or region.

Normally, when you register for a website, your website would be hosted on what is called a shared server. This means your website and information are stored on a computer that is used by many other customers of that provider.In the case of a dedicated server, you have your own whole computer and network connection.

Here is a comparison of normal shared servers and dedicated servers to illuminate the issue.

Traffic Issues. If someone else’s website gets a lot of traffic, and your website and database are on the same server, your website will start to slow down. You cannot have this happening if your website and database are crucial to your business operations. With a dedicated server, you have the one whole computer to yourself, and there will be no influence on your traffic from outside sources.

Size. What happens when your website grows? With a shared server, you will have to keep buying extra space. With a dedicated server, you have the whole computer, and this means it is just about impossible to run out of space.

Security. Information on shared servers is never as secure as dedicated servers. There are multiple accounts and multiple users. Do you really want your important company information on a computer that is also being used by other people?

Service. Dedicated servers normally come with a range of services, such as back-up, security and support. If your information is on a computer provided by a normal shared server supplier, you cannot expect the same service. Do not expect the computer support with shared servers to match the response times of that provided by your dedicated server company. Dedicated also means the company should be dedicated to you, and not just the fact you have your own server.

Location. Just like any other server, your dedicated server will be stored in a very secure location. This is much better than having a server in your own office, for example. It would be possible to run your own e-commerce site from your own office, but you would need the technical know-how and computer support to manage your own server. Normally, that will require outsourcing it services or employing your own team.

Cost. Dedicated servers will obviously cost a considerable amount more than a standard server. If your e-commerce site is growing, for example, having a smooth, fast and reliable website will mean more money. Investment in a dedicated server is an investment into your revenue stream.

In essence, dedicated servers are necessary for anyone who is making revenue from their site with a lot of traffic. You need to be sure that your business is managed, monitored, protected and stands alone from anyone else’s business on the internet. You can always switch your website to a managed server as it grows, although for those who are serious about e-commerce, setting it up so it is stand-alone from the beginning, is still the best option.

This is a guest post by Tom Mallet is an Australian freelance writer and journalist. He writes extensively in Australia, Canada, Europe, and the US. He’s published more than 500 articles about various topics, including dedicated servers and Computer Support